Privacy groups urge investigation of 'internet of toys'

Two toys aimed at young children don't have adequate privacy and security controls, groups in the US and Europe say

Privacy groups in the U.S. and seven European countries will ask consumer protection agencies to investigate the maker of two internet-connected toys for violations of laws designed to protect children's privacy.

The complaints are scheduled to be filed Tuesday against Genesis Toys, maker of the My Friend Cayla and I-Que Intelligence Robot toys, and Nuance Communications, the provider of voice-recognition software for the products.

The complaints, to be filed in the U.S., France, Sweden, Greece, Belgium, Ireland, the Netherlands, and Norway, may be only the beginning of actions taken by consumer and privacy groups targeting a lucrative slice of the internet of things market, the so-called internet of toys.

Consumer and privacy groups are "worried about the lack of consumer and data protection for children in the rapidly emerging internet of things," said Jeffrey Chester, executive director of privacy group the Center for Digital Democracy. The groups are "calling for an investigation into these products targeting children, with the goal, of course, of having them pressed to change their practices."

But the groups have a larger goal, he said by email. "We are putting the Internet of Things industry on notice that consumer advocacy groups are aggressively watching these developments with alarm, and expect them to create products that protect young people and positively support their psychosocial development," he said. "The industry must adopt safe practices."

Representatives of Genesis and Nuance didn't immediately respond to a request for comments on the complaints.

The U.S. complaint against Genesis and Nuance, filed by the Electronic Privacy Information Center, the Center for Digital Democracy, and other groups, alleges a "lengthy" list of privacy violations by the two toys. They collect, use, and share audio files of children's voices without providing adequate notice of collection or obtaining verified consent from parents, the complaint says.

The two toys, targeted at children as young as 4 years old, also fail to use authentication to prevent unauthorized Bluetooth connections with the toys, according to the complaint. When the toys are powered on and not already paired with another device, "any smartphone or tablet within a 50-foot range can establish a Bluetooth connection with the dolls," the complaint said.

The Cayla doll prompts children to provide their names, their parents' names, the name of their school, and the name of the place where they live, the complaint says. The information is shared with Nuance, which also offers law enforcement and intelligence products, and that company has few restrictions on how it can use the information from the toys, the groups say.

In addition, packaging for the Cayla doll makes no mention of privacy issues, and locating its terms of service is a "major challenge," the privacy groups allege. The privacy policy and terms of use provide little information about what information is collected from children or how it's used, the groups say.

The lack of privacy and security protections amount to unfair and deceptive business practices, a violation of the U.S. Children's Online Privacy Protection Act (COPPA) and European privacy law, the groups say.

A report from the Norwegian Consumer Council compares the two Genesis toys to Hello Barbie, another internet-connected toy, and finds Barbie offers a handful of additional privacy protections. A YouTube video shows how people with smartphones can eavesdrop on Cayla owners.